Home > NetFlow Tutorial

NetFlow Tutorial

May 13th, 2016 Go to comments

Configure NetFlow

NetFlow version 5 and version 9 are commonly used nowadays so this part will show how to configure NetFlow in version 5 and 9. We only show the minimum configuration to help NetFlow work well.

Configure NetFlow version 5

The following configuration enables NetFlow version 5 on Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on UDP port 2055.

NetFlow_Configs.jpg

Router(config)#interface fa0/1
Router(config-if)#ip route-cache flow
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.1.1 2055
Router(config)#ip flow-export source fa0/2 //NetFlow will use Fa0/2 as the source IP address for the UDP datagrams sent to the NetFlow Collector
Router(config)#ip flow-export version 5
Router(config)#ip flow-cache timeout active 1 //export flow records every minute.

Note:

+ NetFlow version 5 can inspect inbound traffic only.
+ We can use either the command “ip route-cache flow” or “ip flow ingress” in this case. The former will enable flows on the physical interface and all sub-interfaces associated with it while the latter can be used on sub-interfaces and will enable flows on sub-interfaces only.
+ The last command “ip flow-cache timeout active 1” is necessary for NetFlow to work well. If you leave it at the default of 30 minutes your traffic reports will have spikes.

Configure NetFlow version 9

To configure NetFlow version 9 (Flexible NetFlow), we need to configure three components:
1. Flow Record
2. Flow Exporter
3. Flow Monitor

The following configuration enables NetFlow version 9 on Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on UDP port 2055.

1. Configure the Flow Record:
Router(config)# flow record TUT_Record
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# match ipv4 source address

2. Configure the Exporter:
Router(config)# flow exporter TUT_Exporter
Router(config-flow-exporter)# destination 10.1.1.1

3. Configure the Flow Monitor
Router(config)# flow monitor TUT_Monitor
Router(config-flow-monitor)# record TUT_Record //Must match the above Flow Record name
Router(config-flow-monitor)# exporter TUT_Exporter //Must match the above Exporter name

4. Apply to an interface
Router(config)#interface fa0/1
Router(config-if)#ip flow monitor TUT_Monitor input //Monitor the receiving traffic on this interface

Small note: CEF should be enabled on the NetFlow Exporter router when running NetFlow. CEF decides through which interface traffic is exiting the router. Any NetFlow Collector will calculate the OUT traffic for an interface based on the Destination Interface value present in the NetFlow packets exported from the NetFlow Exporter. If the CEF is disabled on this router, the exported NetFlow packets will have “Destination interface” as “null” and this leads NetFlow Collector to show no OUT traffic for the interfaces.

Verification

After finishing configuration, we may need some commands to verify and troubleshoot our NetFlow configuration. Some popular commands used to check the NetFlow operation are listed below:

+ show ip cache flow: display a summary of the NetFlow accounting statistics. The output of this command has been showed above
+ show ip flow export: display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches

Router# show ip flow export
Flow export v5 is enabled for main cache
  Exporting flows to 10.1.1.1 (2055)
  Exporting using source interface FastEthernet0/2
  Version 5 flow records
  39676332 flows exported in 1440719 udp datagrams
  0 flows failed due to lack of export packet
  153 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures

+ “show ip flow interface”: displays NetFlow accounting configuration on interfaces

R2# show ip flow interface
FastEthernet0/0
  ip route-cache flow

+ show ip flow top-talkers: show which end devices on your network are taking up the most bandwidth

Router# show ip flow top-talkers

SrcIf	SrcIPaddress	DstIf	DstIPaddress	Pr  SrcP  DstP  Bytes
Et0/1	191.168.1.1	Local	192.168.1.254	01  0000  0000  4800
Et0/2	191.168.1.2	Local	192.168.1.254	01  0000  0000  4800
Et0/3	191.168.1.3	Local	192.168.1.254	01  0000  0000  3400

 

Comments (5) Comments
Comment pages
1 2 3 2795
  1. Mia
    November 16th, 2016

    I recommended http://www.testmayor.com/200-125-test.html ! I passed my exam yesterday with the score 98%. You can try the demo before you pay for the order. 100% money back guarantee. You will lose nothing.

  2. halfmoon
    November 26th, 2016

    this still in 200-125

  3. jams
    December 1st, 2016

    @all

    any website which is helping in MCSE exams like 9tut

    please reply if some one know…………

  4. Confused on version 5 and 9 diff
    December 15th, 2016

    I have been reading up on NetFlow because I will have to deploy it soon.
    Sup2T Cisco 6513 using VSS with IOS 15.2SY.
    I went over the Cisco document “NetFlow Configuration Guide, Cisco IOS Release 15M&T” and the examples it had for version 9 deployment mirror the version 5 configurations here not the ones listed for version 9. I based my configs on that so my version 9 config looks like.

    core#config -t
    core(config)# ip flow-export destination XXX.XXX.XXX.XXX udp-port XXXX
    core(config)# ip flow-export destination XXX.XXX.XXX.XXX udp-port XXXX
    core(config)# ip flow-export version 9
    core(config)# interface gX/X/X
    core(config-if)# ip flow ingres
    core(config)# interface gX/X/X
    core(config-if)# ip flow ingress
    core(config)# interface gX/X/X
    core(config-if)# ip flow ingress

    core(config)# ip flow-export destination XXX.XXX.XXX.XXX udp-port XXXX
    core(config)# ip flow-export destination XXX.XXX.XXX.XXX udp-port XXXX
    core(config)# ip flow-export source gX/X/X
    core(config)# ip flow-export source gX/X/X
    core(config)# ip flow-export source gX/X/X
    core(config)# ip flow-export version 9
    core(config)# ip flow-export interface-names
    core(config)# ip flow-export template refresh-rate 15
    core(config)# ip flow-export template timeout-rate 90
    core(config)# ip flow-export template options export-stats

    Which is the proper method for deployment or is

  5. Sabrina
    December 22nd, 2016

    Passed today, 200-125 exam thanks to http://pdfdumps.us/exam/200-125.html

Comment pages
1 2 3 2795